Bug 12205

Summary: Bad x86-64 strncasecmp on Intel Core i7
Product: glibc Reporter: H.J. Lu <hjl.tools>
Component: libcAssignee: Ulrich Drepper <drepper.fsp>
Status: RESOLVED FIXED    
Severity: critical Flags: fweimer: security-
Priority: P2    
Version: 2.13   
Target Milestone: ---   
URL: http://sourceware.org/ml/libc-alpha/2010-11/msg00031.html
Host: Target:
Build: Last reconfirmed:
Attachments: A patch

Description H.J. Lu 2010-11-09 23:45:45 UTC
(gdb) p cp + 1
$78 = 0x749ffa "gottpoff"
(gdb) p gotrel[j].str
$79 = 0x505cbe "GOTPLT"
(gdb) p len
$80 = 6
(gdb) call strncasecmp (cp + 1, gotrel[j].str, gotrel[j].len)
$81 = 0
(gdb)
Comment 1 H.J. Lu 2010-11-10 00:05:34 UTC
[hjl@gnu-35 junk-1]$ cat test.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

static char cp [4096+16] __attribute__ ((aligned(4096)));
static char gotrel[4096] __attribute__ ((aligned(4096)));

int
main ()
{
  char *p = cp + 0xffa;
  char *g = gotrel + 0xcbe;
  strcpy (p, "gottpoff");
  strcpy (g, "GOTPLT");
  printf ("%p: %s\n", p, p);
  printf ("%p: %s\n", g, g);
  if (strncasecmp (p, g, 6) <= 0)
    abort ();
  return 0;
}
[hjl@gnu-35 junk-1]$ make
cc     test.c   -o test
./test
0x602ffa: gottpoff
0x604cbe: GOTPLT
make: *** [all] Aborted
[hjl@gnu-35 junk-1]$
Comment 2 H.J. Lu 2010-11-10 02:04:22 UTC
Created attachment 5118 [details]
A patch
Comment 3 H.J. Lu 2010-11-10 03:41:31 UTC
A patch is at

http://sourceware.org/ml/libc-alpha/2010-11/msg00031.html
Comment 4 Ulrich Drepper 2010-11-10 08:06:44 UTC
 Patch is in git.